gina 0.3.15-alpha.5 → 0.3.15

package/CHANGELOG.md

@@ -6,6 +6,31 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
 and is generated by [Changie](https://github.com/miniscruff/changie).
 
 
+## 0.3.15 - 2026-05-19
+### Added
+* New `isInList` form-validator rule for enum / membership validation. Accepts a JSON array of allowed primitive values (`"isInList": ["draft", "pending", "sent", "paid"]`) and rejects field values that are not strict-equal to any list member. Lives in the shared `form-validator.js`, so the rule fires on both server-side routing validation and client-side browser enforcement. Plugs into the existing `_case_<field>` conditional resolver without special-case handling.
+### Changed
+* Dropped dead `X-Powered-By: "Gina I/O - v${version}"` default from `core/template/conf/env.json`. The entry was structurally inert today — overwritten on Express by `server.js:2425`'s `setHeader` before any middleware ran, and never read by Isaac at all (`server.isaac.js` does not read `server.response.header`). Removing it has zero observable wire effect AND resolves a format inconsistency (only the canonical `Gina/<version>` shape remains on the wire). The `gina.plugins.HidePoweredBy()` middleware (Express) and `settings.json > server.hidePoweredBy: true` gate (Isaac, via the `_setPoweredByHeader()` helper at `server.isaac.js:572-577` covering all writeHead + setHeader emit sites) cleanly suppress the header. Plugin docstring, README, settings.json comments, and bundle boilerplate updated to describe the actual Phase 2 architecture.
+### Security
+* Added `gina.plugins.XContentTypeOptions()` — opt-in middleware that emits the `X-Content-Type-Options: nosniff` response header on every response (#HDR1). The header instructs browsers to honour the declared `Content-Type` strictly, blocking MIME-sniffing attacks where a `text/plain` response whose body starts with `<script>` could be upgraded to HTML and the script executed in the page's origin. Per RFC 7034 / WHATWG Fetch Standard, `nosniff` is the only valid value. Adoption is two lines in the bundle bootstrap: `var xContentTypeOptions = require('gina').plugins.XContentTypeOptions(); app.use(xContentTypeOptions);`. Idempotent — if an earlier middleware already set the header, the existing value is preserved and `next()` is called immediately (first- writer-wins, so the plugin is safe to stack with helmet-style upstream gates). No `enabled` flag — register to opt in, don't register to opt out. Settings template seeds `xContentTypeOptions: {}` (block reserved for future fields like per-route opt-out; future additions don't need an API break). Files: `core/plugins/lib/x-content-type-options/{src/main.js, package.json, README.md}`, registered in `core/plugins/index.js`. Boilerplate `core/template/boilerplate/bundle/index.js` advertises the adoption example as a commented-out block alongside the #CSRF1/#CSRF2 examples. Establishes the per-header response-middleware shape for the rest of Phase 1 (#HDR2 X-Frame-Options, #HDR3 Referrer-Policy, #HDR4 HSTS) and opens the new `#HDR` (Web Security Headers) roadmap track. 33 unit tests in `test/core/x-content-type-options-plugin.test.js`; full suite 5467/5467.
+* Added `gina.plugins.XFrameOptions({ value })` — opt-in middleware that emits the `X-Frame-Options` response header on every response to defend against clickjacking (#HDR2). Controls whether the page may be rendered inside a `<frame>`, `<iframe>`, `<embed>` or `<object>`. Two valid values per RFC 7034: `DENY` (page may never be framed, even by same-origin pages) and `SAMEORIGIN` (default — page may be framed only by same-origin pages). Settings: `xFrameOptions.value` (defaults to `SAMEORIGIN`). Caller options always win over settings; values are normalised to uppercase (so `"deny"` is accepted and emitted as `DENY`). The legacy `"ALLOW-FROM <uri>"` value is rejected at factory call time with a dedicated error pointing at the modern `Content-Security-Policy: frame-ancestors` replacement — modern browsers ignore ALLOW-FROM (Chrome / Edge / Safari never honoured it cross-vendor, Firefox dropped it in 70). Invalid values throw at factory call time with a clear error listing the expected tokens (mirrors the #CSRF1 SameSite=None+Secure invariant and the planned #HDR4 preload-list invariant — fast-fail at bootstrap). Idempotent — if an earlier middleware already set the header, the existing value is preserved and `next()` is called immediately (first-writer-wins, safe to stack with helmet-style upstream gates). Files: `core/plugins/lib/x-frame-options/{src/main.js, package.json, README.md}`, registered in `core/plugins/index.js`. Settings template seeds `xFrameOptions: { value: "SAMEORIGIN" }` with the comment header explaining the default + the ALLOW-FROM rejection. Boilerplate `core/template/boilerplate/bundle/index.js` advertises the adoption example alongside the #HDR1 example. 51 unit tests in `test/core/x-frame-options-plugin.test.js` (full suite 5518/5518, prior 5467 + 51). Second of the four Phase 1 plugins on the `#HDR` Web Security Headers track; introduces the throw-on-invalid pattern that #HDR3 and #HDR4 will mirror.
+* Added `gina.plugins.ReferrerPolicy({ value })` — opt-in middleware that emits the `Referrer-Policy` response header on every response to control referrer leakage (#HDR3). The `Referer` request header reveals the previous page URL — path and query string included — to the destination, which can leak session tokens, internal paths, account IDs, and search queries. The eight valid tokens per the W3C Referrer Policy spec: `no-referrer`, `no-referrer-when-downgrade`, `origin`, `origin-when-cross-origin`, `same-origin`, `strict-origin`, `strict-origin-when-cross-origin` (default — matches modern browsers since ~2021), `unsafe-url` (dangerous — leaks paths and queries). Settings: `referrerPolicy.value` (defaults to `strict-origin-when-cross-origin`). Caller options always win over settings; values are normalised to lowercase per the W3C spec's case-insensitive matching (so `"NO-REFERRER"` is accepted and emitted as `no-referrer`). Invalid tokens throw at factory call time with the full eight-token list + W3C spec URL in the message (mirrors the #HDR2 throw-on-invalid pattern — fast-fail at bootstrap). Idempotent — first-writer-wins. Files: `core/plugins/lib/referrer-policy/{src/main.js, package.json, README.md}`, registered in `core/plugins/index.js`. Settings template seeds `referrerPolicy: { value: "strict-origin-when-cross-origin" }` with the comment header listing all eight tokens. Boilerplate `core/template/boilerplate/bundle/index.js` advertises the adoption example alongside the #HDR1/#HDR2 examples. 56 unit tests in `test/core/referrer-policy-plugin.test.js` (full suite 5574/5574, prior 5518 + 56). Third of the four Phase 1 plugins on the `#HDR` Web Security Headers track; leaves #HDR4 HSTS as the final Phase 1 plugin (with the browser-parity invariant on `preload`).
+* Added `gina.plugins.Hsts({ maxAge, includeSubDomains, preload })` — opt-in middleware that emits the `Strict-Transport-Security` response header on every response (#HDR4). Instructs browsers to access the host exclusively over HTTPS for the next maxAge seconds — defeats SSL-stripping attacks once the policy is in effect. Three configuration fields: `maxAge` (number, seconds, default 15552000 = 180 days), `includeSubDomains` (boolean, default false), `preload` (boolean, default false). Caller options always win over settings. Browser-parity invariant on `preload`: `preload:true` requires `includeSubDomains:true` AND `maxAge >= 31536000` (1 year) per the HSTS preload-list submission requirements (https://hstspreload.org/#deployment-recommendations); the factory throws at call time on invariant violations. Also throws on non-integer / negative / NaN / Infinity `maxAge`. Header value built per RFC 6797 §6.1 directive order (`max-age=<n>; includeSubDomains; preload` with max-age first and the optional directives appended in order when their fields are true). Spec deviation documented in README: emits on every response regardless of transport, matching helmet's behaviour — RFC 6797 §7.2 says senders MUST NOT include the header on HTTP, but §8.1 receiver MUST IGNORE makes the practical wire outcome identical. Design favours proxy-deployment robustness (no dependency on `x-forwarded-proto` being preserved by intermediaries) over sender-side spec purity. Idempotent — first-writer-wins. Files: `core/plugins/lib/hsts/{src/main.js, package.json, README.md}`, registered in `core/plugins/index.js`. Settings template seeds the three-field `hsts` block with `#HDR4` comment header. Boilerplate `core/template/boilerplate/bundle/index.js` advertises the adoption example alongside #HDR1/#HDR2/#HDR3 with the HTTPS-only note. 69 unit tests in `test/core/hsts-plugin.test.js` (full suite 5643/5643, prior 5574 + 69). **Fourth and final Phase 1 plugin on the `#HDR` Web Security Headers track** — closes the Phase 1 quartet of static-value response headers (X-Content-Type-Options + X-Frame-Options + Referrer-Policy + HSTS). Phase 2 (`Csp` #HDR5 + `CrossOriginPolicies` #HDR6) is deferred to `0.4.0` — dynamic / higher-break-risk headers that require template-render integration or can break legitimate cross-origin loads.
+* Added `gina.plugins.OriginAgentCluster()` — opt-in middleware that emits the `Origin-Agent-Cluster: ?1` response header on every response (#HDR7). The header is a Structured Header Value (RFC 8941) requesting origin-keyed agent clustering — the page's origin gets its own agent isolated from sibling-origin pages, so same-site cross-origin pages can no longer reach in via `document.domain`. Mitigates one class of Spectre side-channel attack (the browser may place origin-keyed agents in their own OS process where possible). Per the HTML spec (https://html.spec.whatwg.org/multipage/document-sequences.html#origin-keyed-agent-clusters), `?1` is the only useful value (`?0` is the browser default and emitting it is a no-op); no tunable options today. Browser support: Chrome 88+, Edge 88+, Firefox 109+, Safari 15+ — older browsers ignore silently, safe to register unconditionally. **When NOT to register**: bundles that rely on `document.domain` to bridge same-site origins will break under origin-keyed clustering; rare in modern apps but worth checking. Mirrors the #HDR1 plugin shape EXACTLY (no validation, single static value, same `_resolveSettingsDefaults` + `_mergeOptions` helpers reserved for future-proofing). Idempotent — first-writer-wins. Files: `core/plugins/lib/origin-agent-cluster/{src/main.js, package.json, README.md}`, registered in `core/plugins/index.js`. Settings template seeds `originAgentCluster: {}` with `#HDR7` comment header. Boilerplate `core/template/boilerplate/bundle/index.js` advertises the adoption example alongside #HDR1-4. 33 unit tests in `test/core/origin-agent-cluster-plugin.test.js` (full suite 5676/5676, prior 5643 + 33). **Closes Phase 1 modern critical coverage** of the `#HDR` Web Security Headers track (5 of helmet's 9 modern headers covered; the remaining 4 are deferred to Phase 1.5 #HDR8-12 helmet-parity gap-fill and Phase 2 #HDR5 CSP + #HDR6 COEP/COOP/CORP for 0.4.0). Added 2026-05-17 after a helmet-parity audit caught the original Phase 1 framing missing Origin-Agent-Cluster.
+* Added gina.plugins.Csp({ directives, reportOnly }) — opt-in middleware that emits the Content-Security-Policy response header on every response (#HDR5). Opens Phase 2 of the Web Security Headers track. v0 ships STATIC DIRECTIVES ONLY — per-response nonce wiring requires template-render integration and defers to a future CSP-aware view-layer plugin that can co-operate with swig / nunjucks template rendering. Strict whitelist of 27 CSP Level 3 standard directives (17 fetch + 2 document + 2 navigation + 2 reporting + 2 document-policies + 2 trusted-types); unknown directive names throw at factory call time because CSP typos are silent (browsers ignore unknown directives with no error, no console warning). Value parsing: array of source-list tokens (joined with space), pre-formatted string (emitted as-is), boolean true (boolean-only directives upgrade-insecure-requests / block-all-mixed-content + hybrid sandbox), boolean false (omit). reportOnly:true at top level switches the header name to Content-Security-Policy-Report-Only for non-enforcing migration testing. directives is required (factory throws if missing/empty — no sensible cross-bundle default since every bundle has its own resource graph). Mirrors the HDR1-7 plugin shape (idempotent first-writer-wins via res.getHeader) but introduces a new validation dimension: directive-name (object KEY) validation. 92 unit tests; full suite 5768/5768. Opens Phase 2 — HDR6 splits into Coep / Coop / Corp three plugins per the wrapper-consistency decision; HDR15 closes Phase 2 with gina.plugins.SecurityHeaders({...}) combined wrapper composing HDR1-7 + HDR5 + HDR6/13/14.
+* Added gina.plugins.Coep({ value }) — opt-in middleware that emits the Cross-Origin-Embedder-Policy (COEP) response header on every response (#HDR6). Settings: coep.value is one of three W3C HTML spec tokens (require-corp, credentialless, unsafe-none); default require-corp matches helmet per-middleware default. Required (paired with Coop: same-origin / #HDR13) to enable SharedArrayBuffer and high-resolution performance.now() in the page. Caller options always win over settings; values are normalised to lowercase per the spec lowercase-enumeration convention. Mirrors the #HDR3 ReferrerPolicy single-enum plugin shape exactly (resolveSettingsDefaults + mergeOptions + resolveValue throw-on-invalid + idempotent first-writer-wins middleware via res.getHeader). The require-corp default BREAKS pages that load cross-origin resources (CDN fonts, images, scripts) without matching CORP/CORS headers — README walks users through the three escape hatches (set CORP via #HDR14, downgrade to credentialless, downgrade to unsafe-none). 56 unit tests; full suite 5824/5824. First of the three Phase 2 cross-origin policies — HDR13 Coop + HDR14 Corp + HDR15 SecurityHeaders combined wrapper to follow.
+* Added gina.plugins.Coop({ value }) — opt-in middleware that emits the Cross-Origin-Opener-Policy (COOP) response header on every response (#HDR13). Settings: coop.value is one of four W3C HTML spec tokens (same-origin, same-origin-allow-popups, noopener-allow-popups, unsafe-none); default same-origin matches helmet per-middleware default. Required (paired with Coep: require-corp / #HDR6) to enable SharedArrayBuffer and high-resolution performance.now() in the page. Caller options always win over settings; values are normalised to lowercase. Mirrors the #HDR6 Coep single-enum plugin shape exactly (resolveSettingsDefaults + mergeOptions + resolveValue throw-on-invalid + idempotent first-writer-wins middleware via res.getHeader). The fourth token noopener-allow-popups is a W3C HTML spec addition (Chrome 119+, Firefox 131+) that severs window.opener for popups even at same-origin while keeping the popup window functional. The same-origin default BREAKS legitimate OAuth/SSO popup flows where the popup needs to call back into the opener via window.opener.postMessage(...); README walks users through the three escape hatches (pick same-origin-allow-popups for same-origin OAuth, pick noopener-allow-popups for one-way notifications back via BroadcastChannel/postMessage, downgrade to unsafe-none last resort). 61 unit tests; full suite 5885/5885. Second of the three Phase 2 cross-origin policies — HDR14 Corp + HDR15 SecurityHeaders combined wrapper to follow.
+* Added gina.plugins.Corp({ value }) — opt-in middleware that emits the Cross-Origin-Resource-Policy (CORP) response header on every response (#HDR14). Settings: corp.value is one of three W3C HTML spec tokens (same-origin, same-site, cross-origin); default same-origin matches helmet per-middleware default. Resource-side complement to #HDR6 Coep require-corp enforcement — a page that sets Coep: require-corp requires its cross-origin embeds (CDN fonts, etc.) to carry a matching Corp: cross-origin (or wider) header on the embed-target bundle, otherwise the embed is blocked. Caller options always win over settings; values are normalised to lowercase. Mirrors the #HDR6 Coep + #HDR13 Coop single-enum plugin shape exactly (resolveSettingsDefaults + mergeOptions + resolveValue throw-on-invalid + idempotent first-writer-wins middleware via res.getHeader). The same-origin default defends against side-channel attacks that load a resource cross-origin to measure size/dimensions/timing for fingerprinting (and XSSI shapes are blocked) but BREAKS legitimate cross-origin embeds when the resource serves at a separate origin from the embedding page. README walks users through the three escape hatches (pick same-site for first-party multi-subdomain setups, pick cross-origin for publicly-embeddable CDN assets, per-bundle scoping where the page bundle keeps strict + the CDN bundle adopts cross-origin). 60 unit tests; full suite 5945/5945. Third and final of the three Phase 2 cross-origin policies — HDR15 SecurityHeaders combined wrapper follows as the closing slice of Phase 2.
+* Added gina.plugins.SecurityHeaders({...}) — opt-in combined wrapper composing HDR1-7 + HDR5 + HDR6/13/14 in a single mount with one settings.json block (#HDR15). Closes Phase 2 of the Web Security Headers track. Batteries-included safe set: calling SecurityHeaders() with no opts mounts the 7 non-footgun plugins (xContentTypeOptions / xFrameOptions / referrerPolicy / hsts / originAgentCluster / coop / corp) with per-plugin defaults. CSP (#HDR5) and COEP (#HDR6) are opt-in-only because of known footguns (CSP throws on missing directives — no sensible cross-bundle default; COEP require-corp BREAKS embeds without CORP); bundles wanting them pass csp: { directives: {...} } or coep: true. Per-sub-config explicit opt-out via <key>: false or null (e.g. SecurityHeaders({ hsts: false }) for HTTP-only bundles). csp: {} (no directives) throws at factory call time matching standalone Csp behavior. Internal composition: SUB_PLUGINS registry array drives an Express-style sequential middleware runner; each sub-plugin factory is called at construction time (throws propagate to wrapper caller, fail-fast at bundle start); each sub-middleware emits its own header at runtime via the per-plugin idempotent first-writer-wins pattern. Individual plugins remain mountable independently as power-user escape hatches — stacking SecurityHeaders() with an upstream gina.plugins.Csp({...}) produces no double-emit. Settings precedence: per-plugin defaults < settings.json > <key>.* < settings.json > securityHeaders.<key>.* < wrapper opts. Mirrors helmet helmet() orchestrator shape per the helmet-parity narrative. 83 unit tests; full suite 6028/6028. Phase 2 closed — total 10 #HDR plugins shipped (HDR1-7 + HDR5 + HDR6/13/14 + HDR15 wrapper).
+* Added gina.plugins.HidePoweredBy() — opt-in middleware that removes the X-Powered-By response header that gina emits by default at core/server.js:2425 (plus core/template/conf/env.json > response.header). Opens Phase 1.5 of the Web Security Headers track (helmet-parity gap-fill, #HDR8). Different SHAPE from #HDR1-#HDR7 — REMOVE pattern (res.removeHeader) not SET. Reduces the attacker reconnaissance surface — the server stack identity no longer leaks via the response header. No tunable options (mirrors helmet hidePoweredBy no-opts shape). Engine-asymmetric effectiveness: works as expected on the Express engine (server.js:2425 setHeader fires in early framework middleware before user app.use() mounts, so user-mounted removeHeader succeeds); on the Isaac engine, the 15+ direct response.writeHead({ X-Powered-By: ... }) call sites bypass the setHeader/removeHeader interface — middleware cannot intercept. README documents the gap; framework-level settings-flag for Isaac is a separate slice. Idempotent — removeHeader is a no-op when the header is absent. 37 unit tests in test/core/hide-powered-by-plugin.test.js.
+* Added gina.plugins.XDnsPrefetchControl({ value }) — opt-in middleware that sets the X-DNS-Prefetch-Control response header on every response (#HDR9). Phase 1.5 (helmet-parity gap-fill) continues. Two valid tokens: "on" enables DNS prefetching for perceived-performance; "off" (default, matches helmet) is the privacy-respecting choice — the browser does not pre-resolve DNS for unclicked links, so the resolver only sees hostnames the user actually navigates to. API-shape divergence from helmet (which uses { allow: boolean }): gina uses { value: 'on'|'off' } matching the existing single-token-enum convention of #HDR2 / #HDR3 / #HDR6 / #HDR13 / #HDR14. README documents the helmet-to-gina mapping for migrators. Marginal practical value in 2026 — modern Chrome / Firefox have their own DNS-prefetch heuristics that mostly ignore the header; defense-in-depth + helmet-parity narrative. Caller options always win over settings; values are normalised to lowercase. Idempotent — first-writer-wins via res.getHeader. Mirrors the #HDR14 Corp single-enum plugin shape exactly. 57 unit tests in test/core/x-dns-prefetch-control-plugin.test.js including a negative-invariant lock on the helmet-shape { allow: true } silent-fallback (it does NOT enable DNS prefetching in gina — emits default "off"); user error surfaces at runtime via the gina-default rather than helmet-semantic.
+* Added gina.plugins.XXssProtection() — opt-in middleware that emits the literal header X-XSS-Protection: 0 on every response, DISABLING Chrome legacy XSS auditor (#HDR10). Phase 1.5 (helmet-parity gap-fill) continues. The value "0" is deliberate — not a typo. Chrome XSS auditor itself had its own vulnerabilities (cross-site information disclosure); MDN recommendation is to DISABLE rather than enable. Use Content-Security-Policy (#HDR5) with a strong policy for the actual XSS defense; this header is defense-in-depth + helmet-parity narrative only. Browser status in 2026: Chrome dropped the auditor in v78 (2019); Edge follows Chrome; Firefox / Safari never implemented; IE11 honoured but is EOL — effectively a no-op header in modern browsers. No tunable options (mirrors helmet no-opts shape + the #HDR1 XContentTypeOptions plugin shape). Idempotent — first-writer-wins via res.getHeader; if an upstream middleware accidentally emits the unsafe "1; mode=block", this plugin does NOT override it (mount BEFORE the upstream to win). 37 unit tests in test/core/x-xss-protection-plugin.test.js including a negative-invariant lock pinning HEADER_VALUE is NOT any "1" variant + a string-not-number "0" emission lock + an idempotency assertion against upstream "1; mode=block" preservation.
+* Added gina.plugins.XDownloadOptions() — opt-in middleware that emits the literal header X-Download-Options: noopen on every response (#HDR11). Phase 1.5 (helmet-parity gap-fill) continues. IE-legacy: prevents Internet Explorer 8+ from opening downloads in the site security context — an old IE vulnerability shape where the "Open" button on a download dialog opened the file in the SITE origin, allowing XSS-equivalent via downloaded HTML from a trusted site. The "noopen" value tells IE to remove the "Open" button entirely, forcing the user to "Save" the download before viewing it. Modern browsers (Chrome / Firefox / Safari / Edge) ignore the header silently; only IE10 / IE11 honour it (both EOL since June 2022) — effectively no-op in modern browsers. Defense-in-depth + helmet-parity narrative; ships for the vanishingly-rare IE11 holdout (enterprise legacy intranet, etc.). "noopen" is the only valid value per MSDN — there is no "open" alternative. No tunable options (mirrors helmet no-opts shape + the #HDR1 XContentTypeOptions / #HDR10 XXssProtection plugin shape). Idempotent — first-writer-wins via res.getHeader. 35 unit tests in test/core/x-download-options-plugin.test.js.
+* Added gina.plugins.XPermittedCrossDomainPolicies({ value }) — opt-in middleware that sets the X-Permitted-Cross-Domain-Policies response header on every response (#HDR12). CLOSES Phase 1.5 (helmet-parity gap-fill). Restricts Adobe Flash and PDF readers from honouring cross-domain policy files served from this origin — defends against the cross-domain-data-read shape where a misconfigured crossdomain.xml could allow malicious Flash/PDF content on another site to read data from this one, bypassing the same-origin policy. Four valid Adobe spec tokens: "none" (default, most restrictive — no policy files honoured), "master-only" (only /crossdomain.xml is honoured), "by-content-type" (only files served with Content-Type: text/x-cross-domain-policy are treated as policy files), "all" (any policy file honoured — NOT recommended; defeats the header purpose). API-shape divergence from helmet (which uses { permittedPolicies: <enum> }): gina uses { value: <enum> } matching the existing single-token-enum convention of #HDR2 / #HDR3 / #HDR6 / #HDR9 / #HDR13 / #HDR14. README documents the helmet-to-gina mapping for migrators. Flash EOL since December 2020; Adobe Reader historically honoured the header but most modern PDF readers ignore it; defense-in-depth + helmet-parity narrative. Caller options always win over settings; values are normalised to lowercase. Idempotent — first-writer-wins via res.getHeader. Mirrors the #HDR14 Corp single-enum plugin shape exactly. 60 unit tests in test/core/x-permitted-cross-domain-policies-plugin.test.js including a negative-invariant lock on the helmet-shape { permittedPolicies: 'master-only' } silent-fallback (it does NOT switch the gina default — emits default "none"). CLOSES Phase 1.5 — all 5 helmet-parity plugins now shipped (#HDR8 + #HDR9 + #HDR10 + #HDR11 + #HDR12). Next slice: SecurityHeaders (#HDR15) wrapper extension to include HDR8-12 in the safe-set defaults.
+* Extended gina.plugins.SecurityHeaders() (#HDR15) to include the Phase 1.5 helmet-parity plugins (HDR8-12) in its sub-plugin registry — wrapper safe-set grew from 7 to 12 plugins. Calling SecurityHeaders() with no opts now mounts the full 12-plugin non-footgun safe set (xContentTypeOptions, xFrameOptions, referrerPolicy, hsts, originAgentCluster, hidePoweredBy, xDnsPrefetchControl, xXssProtection, xDownloadOptions, xPermittedCrossDomainPolicies, coop, corp) with their per-plugin defaults. CSP (#HDR5) and COEP (#HDR6) remain opt-in only (unchanged — known footguns). Per-sub-config explicit opt-out via <key>: false or null continues to work for all 14 sub-plugins. Caller-supplied options always win over settings; the idempotent first-writer-wins pattern means no double-emit when stacking the wrapper with an upstream individual mount. SUB_PLUGINS registry order: HDR1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 (Phase 1.5 block inserted between HDR7 and HDR13 — strict numeric order now that the gap is filled). Wrapper JSDoc + README updated: safe-set table grew from 7 to 12 rows; per-sub-config shapes table grew from 9 to 14 rows; reference links extended from 9 to 14. Wrapper test extended from 83 to 92 unit tests: structural test pins updated (9 to 14 sub-plugin factories + SUB_PLUGINS.length 9 to 14 + emission order array + sub-config keys array + safe-set 7 to 12 plugins); 9 new wrapper-integration tests added (safe-set HDR8 actually removes upstream X-Powered-By via the inline removeHeader-capable stub; per-sub-config opt-out tests for HDR8/9/10/11/12; per-sub-config option override for HDR9 and HDR12; sub-plugin invariant throw-through for HDR12). User-visible behavior change: bundles already using gina.plugins.SecurityHeaders() WITHOUT explicit sub-config opt-outs will now emit 5 additional response headers by default — defense-in-depth shape (helmet-parity narrative). Bundles wanting the old 7-plugin behavior can pass { hidePoweredBy: false, xDnsPrefetchControl: false, xXssProtection: false, xDownloadOptions: false, xPermittedCrossDomainPolicies: false } to skip the Phase 1.5 block. Settings template + boilerplate adoption example updated to reflect the new safe-set composition. CLOSES Phase 1.5 follow-on wrapper extension.
+* Adding `server.hidePoweredBy` settings flag (#HDR8 Phase 2) that suppresses the 15 Isaac-engine `X-Powered-By` writeHead emissions the Phase 1 `gina.plugins.HidePoweredBy()` middleware cannot reach (writeHead bypasses setHeader/removeHeader). Default `false` preserves shipped behaviour; Isaac-engine bundles opt in by setting `server.hidePoweredBy: true` in settings.json. No-op on the Express engine — Express bundles use the Phase 1 middleware.
+* Bumped `engine.io` to ^6.6.7 and `engine.io-client` to ^6.6.4, and forced the transitive `ws` dep to ^8.20.1 via npm `overrides` — closes CVE-2026-45736 (CWE-908 Use of Uninitialized Resource, CVSS 6.9 medium). The engine.io 6.x line still transitively pins the vulnerable `ws ~8.18.3`, so the override is the only available remediation path.
+
 ## 0.3.14 - 2026-05-16
 ### Changed
 * Bumped the @rhinostone/swig dependency floor from ^2.3.0 to ^2.4.0 in framework/v*/package.json and root package.json. Version 2.4.0 adds ternary (a ? b : c) and Elvis (a ?: b) operator support in template expressions — usable in {{ }} output and in tag arguments such as {% if %}, {% set %}, {% for %} — plus two CLI/build fixes (mocha invocation in make coverage; EEXIST guard in swig compile -o). No template-engine API change at the surface gina calls; swigResolver DEFAULT_MIN stays at 2.0.0.

package/README.md

@@ -39,49 +39,13 @@ gina bundle:start api @myproject
 open https://localhost:3100
 ```
 
-## What's in 0.3.14
-
-- **Server-side stack-frame leak prevention on both error wires** — `Controller::throwError` now gates the `stack` field in JSON error responses and the `<pre class="stack">` block in the fallback HTML error page on local scope. Beta, testing, production, and any unset scope strip — preventing file paths, library versions, and internal stack frames from reaching API clients and page viewers. Local scope (`NODE_SCOPE_IS_LOCAL=true`) preserves the stack on both wires so the dev toolbar's `data-xhr` panel and the fallback HTML page keep showing the trace inline. Fail-closed shape (gate is `!_isLocalScope`, not `_isProdScope`) so a missing scope var on a fresh deployment cannot reintroduce the leak. Custom error templates dispatched via `renderCustomError` stay consumer-owned — what a consumer view renders from `req.params.errorObject` is unchanged. Consumer-side leak where `err.stack` is passed as the `msg` argument and surfaces in the `error` STRING is NOT covered by the framework gate — those callsites need per-callsite sanitization (`new Error('...').message` instead of `.stack`).
-- **Admin-grade `/_gina/*` endpoints IP-allowlisted** (#S7) — `/_gina/info` (process memory / uptime / version / HTTP/2 session counters) and `/_gina/cache/stats` (full cache contents) now require an IP allowlist configured via a new `admin.allowFrom` block in `app.json`. Defaults to loopback only (`["127.0.0.1", "::1"]`); empty array `[]` is explicit deny-everyone. Client IP is read from `req.socket.remoteAddress` only — `X-Forwarded-For` is NOT trusted (reverse proxies could spoof it). `::ffff:IPv4` is normalised so listing `127.0.0.1` matches both forms. `/_gina/health/check` is intentionally unrestricted (k8s liveness probes need it open). Mirrors the `/_gina/metrics` (#OBS1) gate convention but on a separate axis — bundles that disable metrics still get the admin lockdown. **Action required:** bundles that scrape `/_gina/info` or `/_gina/cache/stats` from a non-loopback host (internal monitor, sister K8s pod, etc.) must add the source IP to `app.json admin.allowFrom`. Localhost-only access (typical dev workflow) needs no change.
-- **`gina project:rm --force` tolerates partial-breakage states** (#B16) — the whole point of `--force` on a rm command is to honour broken state (manually-deleted directory, failed scaffold mid-disk-full, stuck `projects.json` row with no on-disk artefacts). Pre-fix the framework errored on missing `manifest.json` and missing project directory even with `--force` set. Both now warn and fall back to registry-only removal (`~/.gina/projects.json` + state-store row). Without `--force` both still error so typos and wrong-machine invocations surface immediately. The registry-missing check is unchanged — `--force` cannot help when there is no record to remove.
-- **`bundle:list` argv parsing cleanup** (#B15) — two pre-existing surface bugs. Bare `gina bundle:list` no longer emits a spurious red `[error][gina] [ null ] is not a valid project name` stderr line before falling through to the all-projects view. `gina bundle:list --all --format=json` now correctly prints JSON instead of text — the previous in-loop short-circuit dispatched to `listAll()` before the `--format=json` token at a later argv position could set the format. No functional change for valid argv shapes.
-- **FormValidator HTMLFormElement guards** — `FormValidator::validateFormById` and `FormValidator::getFormById` now fail loud with an actionable error when the resolved id is not an `HTMLFormElement` (for example when a sibling `<p id="X">` or `<div id="X">` shares the id with a later-loaded `<form id="X">` from a popin or AJAX fragment), instead of crashing later inside `bindForm` with a cryptic `TypeError` on `.elements.length`. The error names the offending tag and suggests renaming so the id collision is visible from the console message.
-- **`@rhinostone/swig` floor bumped to `^2.4.0`** — `2.4.0` adds ternary (`a ? b : c`) and Elvis (`a ?: b`) operator support in template expressions, plus two CLI/build fixes (`mocha` invocation in `make coverage`; `EEXIST` guard in `swig compile -o`). No template-engine API change at the surface gina calls. `swigResolver DEFAULT_MIN` stays at `2.0.0`.
-- **Internal housekeeping** — `core/router.js` hot-reload no longer poisons the `require.cache` slot for `controller/index.js` (#B18, mirror of the `refreshCore()` fix shipped in `add6655e`). `script/post_publish.js bumpVersion` now refreshes the `framework/v*/VERSION` file content alongside the `renameSync` of the gitignored sibling, closing a drift family that previously needed manual repair after each alpha bump.
-
-## What's in 0.3.13
-
-- **`${secret:KEY}` placeholder substitution** (#SECRETS1) — bundle JSON configs (`settings.json`, `app.json`, `connectors.json`, `mcp.json`, …) can embed `${secret:KEY}` placeholders that the framework resolves from `process.env[KEY]` at config-load time, before the merged config reaches `getConfig()` or any plugin factory. Anchored to whole-string values; fails closed on an unset/empty var. `gina.plugins.Csrf()` reads `settings.csrf.secret` through it, and `gina bundle:mcp-start` resolves `mcp.json` placeholders such as `server.authToken`. Pluggable-backend interface reserved for a future iteration; only the `process.env` backend ships now.
-- **Progressive Web App scaffold** (#R6) — `gina view:add` now drops a `manifest.webmanifest` and a cache-first service-worker stub (`sw.js`) into the bundle's `public/` directory, and wires the manifest `<link>`, a `theme-color` `<meta>`, an apple-touch-icon `<link>`, and an inline service-worker registration into the default layout. Zero runtime dependency — static files plus layout tags.
-- **HTTP/2 rapid-reset rate limiter** (#H9) — the Isaac engine now bounds new-stream creation per session in a rolling one-second window; over `maxStreamsPerSecond` (default 200) it sends a `GOAWAY` and closes the session. An application-level layer over the OS-level CVE-2023-44487 mitigation in modern Node.js, complementing `maxSessionRejectedStreams` (which counts refused, not created, streams). Configurable via `settings.json` `http2Options.maxStreamsPerSecond`; `/_gina/info` exposes a `rapidResetBlocked` counter.
-- **Eval-safety campaign completed** (#M20–#M22) — the multi-release effort to remove `eval` / `new Function` call sites from the published tarball is finished. The validator plugin's `makeObjectFromArgs` was refactored to a segments-array path build; the HTML-event-callback evals and the conditional-binding fallback were dropped; and the logger's circular-require `eval(fs.readFileSync(...))` fallbacks were eliminated by fixing the `merge → helpers → logger` cycle at its source. The one remaining eval is a load-bearing public-API site (user-defined form validators), kept by design with a documented trust model and an invariant test.
-- **`@rhinostone/swig` floor bumped to `^2.3.0`** — `2.3.0` drops `yargs` and `terser` from the published package's production dependencies (CLI parsing is now a built-in zero-dependency parser; `terser` moved to `devDependencies`, loaded lazily), so a library install pulls in only `@rhinostone/swig-core` — a smaller transitive tree. No template-engine API or behaviour change.
-- **`requireJSON` comment / URL fix** — `requireJSON` no longer mis-parses JSON config files that combine a `//` line comment with a URL string value (`"key": "https://…"`); the comment-stripping pass is now per-line on the leftmost `//`, so comment-bearing configs with URLs load cleanly.
-- **Dev-mode hot-reload fix** — `refreshCore()` was rebuilding the `lib` / `plugins` `require.cache` entries with their exports objects instead of `Module` instances, crashing the controller render delegates with `Cannot read properties of undefined` after a hot reload; it now lets `require()` rebuild a proper `Module`. Also removed two dormant internal plugin directories (`core/plugins/lib/file/`, `core/plugins/lib/intl/`) with no known consumers — a slightly smaller npm tarball, no functional change.
-
-## What's in 0.3.12
-
-- **Spec-correct `+` decoding in URL query strings and urlencoded bodies** — fixes two complementary parsers that didn't decode `+` to space per RFC 1866 / WHATWG URL. The Isaac engine's URL query-string parser had no `+` substitution at all in either of its two branches (multi-value `&` loop + single-key `=` no-`&` path); the body parser's `application/x-www-form-urlencoded` content-type test was inverted, leaving `+` literal in `req.post` / `req.put` / `req.patch` values. Both now correctly produce space. Express engine was already spec-correct via `qs` defaults. Closes #B17.
-- **Render-pipeline async-race safety** (#M1 family) — `render-swig.js` now captures `local.req` / `local.res` / `local.next` into function-scoped locals at the top of `render()` so post-`await` reads remain race-safe when a second `self.throwError()` fires during an in-flight `renderCustomError`. Same shape extended to `render-nunjucks.js`'s full call chain (`sendHtmlResponse`, `registerGinaFilters`, `writeCache`) and to `render-json.js`'s `writeCache` helper. Separate dev-mode layout cache ENOENT fix: the per-template layout cache write now uses an atomic temp+rename pattern so concurrent renders for the same `{% extends %}` URL no longer collide on the priming-block delete-then-rewrite. Production was unaffected (cached mode skips the path entirely). CVE-2023-25345 path-traversal boundary check preserved verbatim.
-- **FormValidator form-reassociated radios — serialize-time scoping** — third sister fix for HTML5 form-reassociated radios sharing a name across sibling forms. The `isRequired` validator's radio-group case walked `document.getElementsByName($el.name)` without filtering by form-owner; submit-time serialization could leak a sibling form's `.checked` radio into the form-under-submission's payload. Now scopes the walk to the validator-bound radio's form-owner, mirroring the equivalent filter applied in 0.3.10's `updateRadio` (`80dd89f9`) and `bindForm` `defaultChecked` cache (`6e544411`). No-op for the normal single-form-owner shape.
-- **`@rhinostone/swig` floor bumped to `^2.2.0`** — version-currency drift fix. The 2.1.0 release introduced a multi-flavor architecture (shared `@rhinostone/swig-core` plus per-flavor frontends including `@rhinostone/swig-twig` for Twig syntax); the native `@rhinostone/swig` package remains drop-in compatible with the API surface gina depends on. `swigResolver DEFAULT_MIN` stays at `2.0.0` — the framework does not depend on any new 2.1.0 / 2.2.0-only API.
-
-## What's in 0.3.11
-
-- **Internationalisation** (#I18N1 + #I18N2) — per-bundle JSON catalogs at `bundle/locales/<culture>.json`, `t(key, params, culture)` global helper auto-bound on controllers (`self.t()`) and as a swig + nunjucks `t` template filter, CLDR plurals via Node's built-in `Intl.PluralRules`, per-request locale negotiation (URL prefix > cookie > `Accept-Language` > settings default). New `gina i18n:scan / add / export / import` CLI for translator round-trip (PO / CSV / JSON). Optional ICU MessageFormat opt-in via `t.icu()` for gender / select / nested combinators powered by `intl-messageformat`. The legacy `__()` placeholder is rewired as a one-arg alias of `t()` — existing callers keep working.
-- **Prometheus metrics endpoint** (#OBS1) — built-in `/_gina/metrics` exposing the standard Prometheus exposition format. Default metrics cover Node.js process state (heap, GC, event loop lag), HTTP request counter and duration histogram with cardinality-safe route labels (`req.routing.rule` with `__not_found__` / `__method_not_allowed__` / `__error__` / `__no_route__` fallbacks). IP-allowlist gated (loopback only by default; does NOT trust `X-Forwarded-For`). Opt-in via `app.json metrics.enabled`; install `prom-client` as a peer dependency.
-- **ScyllaDB / Cassandra ORM connector** (#CN5) — entity classes with CQL prepared statements at `models/<keyspace>/cql/<Entity>/*.sql`, `@param` type coercion, lightweight-transaction (`IF NOT EXISTS`, `IF version = ?`) `[applied]` boolean handling, and a session store using CQL `USING TTL` for server-side reaping. Wraps the official `cassandra-driver` (Apache Software Foundation; Node.js has no first-party shard-aware driver, so token-aware routing is used). Requires Node 20+.
-- **MongoDB ORM connector** (#CN6) — entity classes with JSON pipeline files at `models/<db>/pipelines/<Entity>/*.json`, JSDoc-style `@param`/`@return` headers, BSON-type casting (`objectid`, `int`, `long`, `double`, `boolean`, `date`, `timestamp`), `{$arg: N}` and `{$oid: "<hex>"}` placeholder shapes, eleven supported operations (`findOne` / `find` / `aggregate` / `countDocuments` / 7 writes), and a session store using a TTL index auto-created on first `set()` with `expiresAt > now` filtering on reads to cover MongoDB's 60-second TTL-monitor lag. Wraps the official `mongodb` driver.
-- **`@rhinostone/swig` major bump 1.6.0 → 2.0.1** — upstream stable cycle. The framework's Phase 7 build switched from Closure-compiling `bin/swig.js` to copying the upstream esbuild bundle directly, so `swig-core`'s lazy `require()` works in the browser bundle. Resolver `DEFAULT_MIN` floor lifted to `2.0.0` — projects pinning `swig.useProject: true` need a `^2.0.0` install in their own `node_modules` to satisfy the resolver. Server-side API unchanged.
-- **`page.section` auto-promotion** — `route.param.section` is now auto-promoted to `page.section` in the controller setup, for templates that compose include paths from a section name (sub-section dispatch from a single `index.html` that fans out to per-section partials based on the matched route).
-- **X-Forwarded-Prefix per-request isolation** — fixes a cross-request webroot prefix leak under reverse-proxy sub-path mounts where the prefix was previously stored on `process.gina.PROXY_PREFIX` (process-global, sticky-after-first-request, leaking into direct/non-proxied calls); now per-request on `request._ginaProxyPrefix`. Combined with a synchronous `window.__ginaWebroot` global on the client to fix a `getDependencies` race where `gina.config.webroot` was undefined at script-tag onload time.
-- **Release pipeline hardening** — three independent fixes for the `~/.gina/main.json` `def_framework` drift family: defensive pre-publish gate (`script/check_def_framework_consistency.js`), settings.json side fix in `prepare_version.js`, main.json side fix in `post_install.js` with a strict-semver comparator that skips def_framework updates on older-version reinstalls.
-
-## What's in 0.3.10
-
-- **FormValidator HTML5 form-reassociation hardening** — trilogy of fixes for `<input form="X">` controls. `bindForm` now uses `HTMLFormControlsCollection` (`form.elements`) for owner-aware control collection and attaches per-control listeners on out-of-tree reassociated controls; `unbindForm` symmetrically drains the side-table on cleanup. `updateRadio` scopes the mutual-exclusion peer set by form-owner — same-name radios in different form-owners are no longer cross-fired into each other's loop — and reconciles the IDL `.checked` with the HTML `checked` attribute on init when they disagree. `bindForm`'s `fieldsSet[id].defaultChecked` cache reads the IDL `defaultChecked` property (which mirrors the HTML attribute regardless of the live IDL state) instead of the live `.checked`, so a `type="reset"` action correctly restores the originally-checked option. No-op for the normal single-form-owner shape — only changes behaviour in the form-reassociation layouts that were broken.
-- **`X-Forwarded-Prefix` reverse-proxy support** — when a reverse proxy (nginx, Traefik) mounts the bundle on a sub-path and forwards `proxy_set_header X-Forwarded-Prefix /sub;`, the framework composes a public webroot (proxy prefix + bundle internal `server.webroot`) and templates it into `gina.config.webroot`. Client-side URL construction (`/_gina/assets/routing.json` fetch, `gina.min.css` link injection, etc.) now targets the correct upstream through the proxy instead of root-relative URLs that route to whichever bundle answered `/`. Header value is normalised (leading slash, trailing slashes stripped, empty / `"/"` dropped); back-compat preserved when the header is absent.
-- See 0.3.9 for the consumer-feedback 11-patch batch (per-request middleware dispatch isolation · Couchbase 4.x JsonTranscoder · `length` filter null safety · `process.env` mirroring · 6 nunjucks render-pipeline patches), and 0.3.8 for the install-script regression hotfix.
+## What's in 0.3.15
+
+- **Web Security Headers track** (#HDR family) — fifteen opt-in `gina.plugins.*` middlewares for response-header hardening, mirroring the `Session` / `Csrf` plugin shape. **Phase 1 modern critical coverage**: `XContentTypeOptions()` (#HDR1, `X-Content-Type-Options: nosniff`), `XFrameOptions()` (#HDR2, clickjacking defense), `ReferrerPolicy()` (#HDR3), `Hsts()` (#HDR4, `Strict-Transport-Security`), `OriginAgentCluster()` (#HDR7). **Phase 1.5 helmet-parity gap-fill**: `HidePoweredBy()` (#HDR8), `XDnsPrefetchControl()` (#HDR9), `XXssProtection()` (#HDR10, emits `0` per OWASP), `XDownloadOptions()` (#HDR11, IE-legacy `noopen`), `XPermittedCrossDomainPolicies()` (#HDR12). **Phase 2 cross-origin set**: `Csp()` (#HDR5, Content-Security-Policy), `Coep()` (#HDR6, Cross-Origin-Embedder-Policy), `Coop()` (#HDR13, Cross-Origin-Opener-Policy), `Corp()` (#HDR14, Cross-Origin-Resource-Policy). **Combined wrapper**: `gina.plugins.SecurityHeaders()` (#HDR15) — batteries-included default opting every plugin in via a single registration; individual plugins remain register-to-opt-in. All plugins idempotent (first-writer-wins), throw on invariant violations at factory call time, flat top-level settings under `settings.json`. No `helmet` dependency. See the [Security Headers guide](https://gina.io/docs/guides/security-headers).
+- **`server.hidePoweredBy` settings flag** (#HDR8 Phase 2) — closes the Isaac-engine `X-Powered-By` emission gap that per-bundle middleware cannot reach. Removes the dead `X-Powered-By` default from the `env.json` template and adds a framework-level emission gate via a closure-helper; bundles opt in to header suppression at the engine level without registering the per-bundle plugin. Reconciles with `gina.plugins.HidePoweredBy()` docs.
+- **`gina.validator.isInList`** — closed-set membership form-validation rule. Useful when a form field accepts a finite enumerated set (status codes, country codes, plan tiers). Out-of-set submissions are rejected before they reach controller code. Distinct from `lib/validator.js`'s separate role (see llms.txt #130).
+- **Security: CVE-2026-45736 closed** (CWE-908 in `ws@8.18.3`) — `engine.io` bumped to `^6.6.7`, `engine.io-client` to `^6.6.4`, and `ws` forced to `^8.20.1` via npm `overrides`. Override route was the only remediation: `engine.io@6.6.7` still transitively pins `ws@~8.18.3` per Snyk's advisory, so a transitive bump alone would have left the vulnerable version reachable.
+- **Internal housekeeping** — #HDR plugin family refactored under `core/plugins/lib/security-headers/` (restoring dir-name ↔ JS-name symmetry after the combined wrapper collapsed into the namespace). Leak-scan `ATTRIBUTION_PATHS` regex consolidated into a single `_load_private_tokens.js` loader (single source of truth). `post_publish.js bumpVersion` `local-sync` now warns on a non-match instead of silently skipping. llms.txt pruned (36 cluster lessons consolidated into 4 parent entries) per the size-guard rule.
 
 See the full [Changelog](./CHANGELOG.md) and [Roadmap](./ROADMAP.md).
 

package/framework/v0.3.15/VERSION

@@ -0,0 +1 @@
+0.3.15

package/framework/{v0.3.15-alpha.5 → v0.3.15}/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gina-framework",
-  "version": "0.3.15-alpha.5",
+  "version": "0.3.15-alpha.6",
   "dependencies": {
     "@rhinostone/swig": "^2.4.0",
     "intl-messageformat": "^11.2.4",

package/gna.js

@@ -15,14 +15,14 @@
 'use strict';
 
 // Framework core — the main gna module (lifecycle hooks, lib, etc.)
-var _gna = require('./framework/v0.3.15-alpha.5/core/gna');
+var _gna = require('./framework/v0.3.15/core/gna');
 
 // SuperController and EntitySuper — loaded from their source modules
-var SuperController = require('./framework/v0.3.15-alpha.5/core/controller');
-var EntitySuper     = require('./framework/v0.3.15-alpha.5/core/model/entity');
+var SuperController = require('./framework/v0.3.15/core/controller');
+var EntitySuper     = require('./framework/v0.3.15/core/model/entity');
 
 // uuid — from the lib registry
-var uuid = require('./framework/v0.3.15-alpha.5/lib/uuid');
+var uuid = require('./framework/v0.3.15/lib/uuid');
 
 module.exports = {
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gina",
-  "version": "0.3.15-alpha.5",
+  "version": "0.3.15",
   "description": "Node.js MVC framework with built-in HTTP/2, multi-bundle architecture, and scope-based data isolation — no Express dependency",
   "keywords": [
     "nodejs",
@@ -12,9 +12,25 @@
     "server-side-rendering",
     "event-driven",
     "multi-bundle",
+    "typescript",
     "couchbase",
     "mongodb",
-    "typescript",
+    "scylladb",
+    "cassandra",
+    "mysql",
+    "postgresql",
+    "sqlite",
+    "redis",
+    "session-store",
+    "csrf",
+    "csp",
+    "hsts",
+    "security-headers",
+    "prometheus",
+    "metrics",
+    "i18n",
+    "mcp",
+    "nunjucks",
     "gina",
     "ginajs"
   ],
@@ -56,7 +72,7 @@
     "gina-container": "bin/gina-container",
     "gina-init": "bin/gina-init"
   },
-  "main": "./framework/v0.3.15-alpha.5/core/gna",
+  "main": "./framework/v0.3.15/core/gna",
   "types": "./types/index.d.ts",
   "typesVersions": {
     "*": {

package/framework/v0.3.15-alpha.5/VERSION

@@ -1 +0,0 @@
-0.3.15-alpha.5